<!DOCTYPE HTML>
<html lang="en-US">

<!-- OneTrust Cookies Consent Notice start for trendmicro.com -->
<script type="text/javascript" src="https://cdn.cookielaw.org/consent/821060e3-3f9c-4a2f-8613-8e0db4841f79/OtAutoBlock.js"></script>
<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="821060e3-3f9c-4a2f-8613-8e0db4841f79"></script>
<script type="text/javascript">function OptanonWrapper() { }</script>
<!-- OneTrust Cookies Consent Notice end for trendmicro.com -->

   	
	
	

	<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.js"></script>
	<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.js"></script>

	<script type="text/javascript">
		if (typeof Granite !== "undefined" && Granite.I18n){
			Granite.I18n.setLocale("en_us" || "en");
		}
	</script>
	
    <head>
    
    
    
    
    <meta charset="UTF-8"/>
    <meta name="viewport" content="width=device-width"/>
	<meta name="description" content="We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems."/>
	<meta name="robots" content="index,follow"/>
	<meta name="keywords" content="malware,cyber crime,exploits &amp; vulnerabilities,cyber threats,apt &amp; targeted attacks,endpoints,network,articles, news, reports"/>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
	<meta name="template" content="article1withouthero"/>
    <meta property="article:published_time" content="2023-03-01"/>
    <meta property="article:tag" content="apt &amp; targeted attacks"/>
    <meta property="article:section"/>
    
    <link rel="icon" type="image/ico" href="/content/dam/trendmicro/favicon.ico"/>
	<link rel="canonical" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html"/>

    <title>Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting</title>
			 
    

    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600" rel="stylesheet"/>
<link href="//customer.cludo.com/css/296/1798/cludo-search.min.css" type="text/css" rel="stylesheet"/>



    
    
    

    
    
    
    
<link rel="stylesheet" href="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch.min.css" type="text/css">



    

    

    <script src="//tags.tiqcdn.com/utag/trendmicro/nabucms/prod/utag.sync.js"></script>
	<meta property="og:url" content="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html"/>
<meta property="og:title" content="Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting"/>
<meta property="og:description" content="We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems."/>
<meta property="og:site_name" content="Trend Micro"/>
<meta property="og:image" content="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/thumbnails/23/iron-tiger-sysupdate-adds-linux-targeting.jpg"/>
<meta property="og:locale" content="en_US"/>

	<meta name="twitter:card" content="summary_large_image"/>
<meta name="twitter:site" content="@TrendMicro"/>
<meta name="twitter:title" content="Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting"/>
<meta name="twitter:description" content="We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems."/>
<meta name="twitter:image" content="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/thumbnails/23/iron-tiger-sysupdate-adds-linux-targeting.jpg"/>


<script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch"}]);</script>
                              <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="KL7L2-AE63W-6L875-PUGB2-GU2BB",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"KL7L2-AE63W-6L875-PUGB2-GU2BB";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="kbjpootip364ozaurfia-f-bc75b5f18-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"34","ak.cp":"1340666","ak.ai":parseInt("807181",10),"ak.ol":"0","ak.cr":27,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"7cea39","ak.r":37883,"ak.a2":n,"ak.m":"a","ak.n":"essl","ak.bpcip":"80.82.247.0","ak.cport":55169,"ak.gh":"23.215.189.141","ak.quicv":"","ak.tlsv":"tls1.3","ak.0rtt":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1679067472","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==IYCnezgNIkgWD7kmlbuBmrIoOINlgQG8B6HzMlBcJdGfFAUJXHZDyD7rC/NIABi5eX2uAm3cTbchiulXep6oVM1VLmATuO//0EXNNGShvkdYjnzy1DPA6sn5GQ0aTC2WgGBH4Av1qxYdLerkItASOqwy5fM7n4WUIkCpOnTQP69z2wr3nEx79FUyLx6NXkkqcun8mRF18nUoL0YaRh493e/XoWOmSlmjtmqbr8wtHAxbL7nxA26r5EeRFAFOEDQGfeI2apEzu04Y4RXYa1bmkfE2AFbDXaD0iTo169wKi3GFDHmX+wGsz1p8ZmoY9YDmUjaLqrPn6fzEcZdCnOQTAYN/ZKP4BLAvx+zLCdRbdLH5745QoKBLuvbk3TmWyhuK3ziruDlfUzSaIMe0dvVPJ6vwzAz+pQ/D9rwMYqbEcy0=","ak.pv":"13","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head>
    
    <body class="articlepage page basicpage context-business">
		<!-- Page Scroll: Back to Top -->
		<a id="page-scroll" title="VerticalPageScroll" href="javascript:jumpScroll($(this).scrollTop());">
			<span class="icon-chevron-up"></span>
		</a>

        
                      
     		<!-- /* Data Layer */ -->
			<script type="text/javascript">
				var utag_data = {"customer_cookie_type":"business","language_code":"en_us","page_name":"research/23/c/iron-tiger-sysupdate-adds-linux-targeting/en_us","category_id":"en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting","page_type":"unknown","site_section":"research","post_author":"Daniel Lunghi|Threat Researcher","post_date":"2023-03-01"};
			</script>

			<script type="text/javascript">(function(a,b,c,d){a='//tags.tiqcdn.com/utag/trendmicro/nabucms/prod/utag.js';b=document;c='script';d=b.createElement(c);d.src=a;d.type='text/java'+c;d.async=true;a=b.getElementsByTagName(c)[0];a.parentNode.insertBefore(d,a);})();</script>

            



            
<div class="header globalHeaderV2">

<span class="new-static-header">
	<div class="disruptorPanel">

<div class="disruptor-panel__alert">

	<div class="inner-container">
		<button class="sliding-dismiss-button">
			<span class="button-text">dismiss</span>
			<span class="icon-close"></span>
		</button>
	</div>
</div>
</div>
	<div class="main-header new-main-header">
		<!-- Nav Sticky Wrapper -->
		<div class="nav-sticky-wrapper">
			<!-- Top Bar -->
			<div class="top-bar hidden-xs hidden-sm">
				<div class="inner-container">
					<div class="utility-col">
						<div class="utilityMenu utilityMenu-desktop"><nav class="utilityMenu__wrapper">

	<div class="dropdown utilityAlerts ">
	<button class="menu-button" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
		<span class="hidden menu-button__alert-count"></span>
		<span class="menu-button__icon icon-alert"></span>
		<span class="menu-button__text">Alerts</span>
	</button>
	<ul class="hidden dropdown-menu alerts-container ">
	</ul>

<ul class="dropdown-menu no-alerts"><li>No new notifications at this time.</li></ul>

</div>

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown hidden-xs ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-download"></span>
				<span class="menu-button__text">Download</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li>
							<a href="/en_us/business/products/downloads.html#scan-engines" id="a-util-download-scan-engines">
								
								Scan Engines
								
							</a>
						</li>
					
						<li>
							<a href="/en_us/business/products/downloads.html#all-pattern-files" id="a-util-download-pattern-files">
								
								All Pattern Files
								
							</a>
						</li>
					
						<li>
							<a href="/en_us/business/products/downloads.html" id="a-util-download-all-downloads">
								
								All Downloads
								
							</a>
						</li>
					
						<li class=" is-phone-number ">
							<a href="http://downloadcenter.trendmicro.com/index.php?clk=left_nav&clkval=rss_feed&regs=NABU" target="_blank" id="a-util-download-subscribe-rss-center" rel="noopener noreferrer" class="no-border ">
								
								Subscribe to Download Center RSS
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-cart"></span>
				<span class="menu-button__text">Buy</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="/en_us/partners/find-a-partner.html" id="b-util-buy-find-partner">
								
								Find a Partner
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://store.trendmicro.com/store/tmamer/Content/pbPage.Home/pgm.4823570300/" target="_blank" id="b-util-buy-home-office-store" rel="noopener noreferrer">
								
								Home Office Online Store
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://store.trendmicro.com/store/tmamer/html/pbPage.ManualRenew/ThemeID.7735600" target="_blank" id="b-util-buy-home-renew" rel="noopener noreferrer">
								
								Renew Online
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="/en_us/forHome/products/free-tools.html" id="b-util-buy-tools" class="no-border ">
								
								Free Tools
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_us/business/get-info-form.html" id="b-util-buy-contact-sales">
								
								Contact Sales
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_us/contact.html" id="b-util-buy-locations">
								
								Locations Worldwide
								
							</a>
						</li>
					
						<li class="dropdown-header hidden-context-home is-phone-number ">
							
								
								1-888-762-8736  (M-F 8am - 5pm CST)
								
							
						</li>
					
						<li class="dropdown-header hidden-context-home ">
							
								
								Small Business
								
							
						</li>
					
						<li class=" hidden-context-home ">
							<a href="http://buyonline.trendmicro.com/" target="_blank" id="b-util-buy-business-buy-online" rel="noopener noreferrer">
								
								Buy Online
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="http://renewonline.trendmicro.com/" target="_blank" id="b-util-buy-business-renew" rel="noopener noreferrer">
								
								Renew Online
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown stretched-dropdown">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-region"></span>
				<span class="menu-button__text">Region</span>
			</button>
			



			

			
				<div class="dropdown-menu align-">
					<ul class="menu-column col-xs-12 col-sm-4 col-md-3">
						
							<li class="dropdown-header">
								
									
									The Americas
									
								
							</li>
						
							<li>
								<a href="/en_us.html">
									
									United States
									
								</a>
							</li>
						
							<li>
								<a href="/pt_br.html">
									
									Brasil
									
								</a>
							</li>
						
							<li>
								<a href="/en_ca.html">
									
									Canada
									
								</a>
							</li>
						
							<li>
								<a href="/es_mx.html" class="no-border ">
									
									México
									
								</a>
							</li>
						
							<li class="dropdown-header">
								
									
									Middle East &amp; Africa
									
								
							</li>
						
							<li>
								<a href="/en_za.html">
									
									South Africa
									
								</a>
							</li>
						
							<li>
								<a href="/en_ae.html">
									
									Middle East and North Africa
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-desktop break-column-tablet">
								
									
									Europe
									
								
							</li>
						
							<li>
								<a href="/en_be.html">
									
									België (Belgium)
									
								</a>
							</li>
						
							<li>
								<a href="http://www.trendmicro.cz/">
									
									Česká Republika
									
								</a>
							</li>
						
							<li>
								<a href="/en_dk.html">
									
									Danmark
									
								</a>
							</li>
						
							<li>
								<a href="/de_de.html">
									
									Deutschland, Österreich Schweiz
									
								</a>
							</li>
						
							<li>
								<a href="/es_es.html">
									
									España
									
								</a>
							</li>
						
							<li>
								<a href="/fr_fr.html">
									
									France
									
								</a>
							</li>
						
							<li>
								<a href="/en_ie.html">
									
									Ireland
									
								</a>
							</li>
						
							<li>
								<a href="/it_it.html">
									
									Italia
									
								</a>
							</li>
						
							<li>
								<a href="/en_nl.html">
									
									Nederland
									
								</a>
							</li>
						
							<li class=" break-column-desktop">
								<a href="/en_no.html">
									
									Norge (Norway)
									
								</a>
							</li>
						
							<li>
								<a href="/pl_pl.html">
									
									Polska (Poland)
									
								</a>
							</li>
						
							<li>
								<a href="/en_fi.html">
									
									Suomi (Finland)
									
								</a>
							</li>
						
							<li>
								<a href="/en_se.html">
									
									Sverige (Sweden)
									
								</a>
							</li>
						
							<li>
								<a href="/tr_tr.html">
									
									Türkiye (Turkey)
									
								</a>
							</li>
						
							<li>
								<a href="/en_gb.html" class="no-border ">
									
									United Kingdom
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-desktop break-column-tablet">
								
									
									Asia &amp; Pacific
									
								
							</li>
						
							<li>
								<a href="/en_au.html">
									
									Australia
									
								</a>
							</li>
						
							<li>
								<a href="/ru_ru.html">
									
									Центральная Азия (Central Asia)
									
								</a>
							</li>
						
							<li>
								<a href="/en_hk.html">
									
									Hong Kong (English)
									
								</a>
							</li>
						
							<li>
								<a href="/zh_hk.html">
									
									香港 (中文) (Hong Kong) 
									
								</a>
							</li>
						
							<li>
								<a href="/en_in.html">
									
									भारत गणराज्य (India)
									
								</a>
							</li>
						
							<li>
								<a href="/in_id.html">
									
									Indonesia
									
								</a>
							</li>
						
							<li>
								<a href="/ja_jp.html">
									
									日本 (Japan)
									
								</a>
							</li>
						
							<li>
								<a href="/ko_kr/business.html">
									
									대한민국 (South Korea)
									
								</a>
							</li>
						
							<li>
								<a href="/en_my.html">
									
									Malaysia
									
								</a>
							</li>
						
							<li>
								<a href="/en_us.html">
									
									Монголия (Mongolia) and рузия (Georgia)
									
								</a>
							</li>
						
							<li>
								<a href="/en_nz.html">
									
									New Zealand
									
								</a>
							</li>
						
							<li class=" break-column-desktop">
								<a href="/en_ph.html">
									
									Philippines
									
								</a>
							</li>
						
							<li>
								<a href="/en_sg.html">
									
									Singapore
									
								</a>
							</li>
						
							<li>
								<a href="/zh_tw.html">
									
									台灣 (Taiwan)
									
								</a>
							</li>
						
							<li>
								<a href="/th_th.html">
									
									 ประเทศไทย (Thailand)
									
								</a>
							</li>
						
							<li>
								<a href="/vi_vn.html" class="no-border ">
									
									Việt Nam
									
								</a>
							</li>
						
					</ul>
				</div>
			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-login"></span>
				<span class="menu-button__text">Log In</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/dcx/s/?language=en_US" target="_blank" id="d-util-login-business-support" rel="noopener noreferrer">
								
								Business Support Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://esupport.trendmicro.com/en-us/home/pages/resources.aspx" target="_blank" id="d-util-login-home-support" rel="noopener noreferrer" class="no-border ">
								
								Log In to Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://community-trendmicro.force.com/Partner" target="_blank" id="d-util-login-partner" rel="noopener noreferrer">
								
								Partner Portal
								
							</a>
						</li>
					
						
					
						<li class="dropdown-header hidden-context-business ">
							
								
								Home Solutions
								
							
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://account.trendmicro.com/?utm_source=www.trendmicro.com&utm_medium=referral" target="_blank" id="d-util-login-my-account" rel="noopener noreferrer">
								
								My Account
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://www.trendmicro.com/ilostmyandroid" target="_blank" id="d-util-login-lost-device-portal" rel="noopener noreferrer">
								
								Lost Device Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://www.trendsecure.com/report_stolen/locker/report" target="_blank" id="d-util-login-tm-vault" rel="noopener noreferrer">
								
								Trend Micro Vault
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://pwm.trendmicro.com/" target="_blank" id="d-util-login-password-manager" rel="noopener noreferrer">
								
								Password Manager
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://clp.trendmicro.com/" target="_blank" id="d-util-login-cust-license-portal" rel="noopener noreferrer">
								
								Customer Licensing Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://esupport.trendmicro.com/oct" target="_blank" id="d-util-login-case-tracking" rel="noopener noreferrer">
								
								Online Case Tracking
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://sso.trendmicro.com/sso/form/authenticate.aspx" target="_blank" id="d-util-login-wfb-security-services" rel="noopener noreferrer">
								
								Worry-Free Business Security Services
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://tm.login.trendmicro.com/authenticate/api/false/tmrm" target="_blank" id="d-util-login-remote-manager" rel="noopener noreferrer">
								
								Remote Manager
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://cloudone.trendmicro.com/" target="_blank" id="d-util-login-cloud-one" rel="noopener noreferrer">
								
								Cloud One
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://signup.cj.com/member/signup/publisher/?cid=1157059" target="_blank" id="d-util-login-home-referral" rel="noopener noreferrer" class="no-border ">
								
								Referral Affiliate
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://signup.cj.com/member/signup/publisher/?cid=1867119#/branded?_k=xaeu3t" target="_blank" id="d-util-login-business-referral" rel="noopener noreferrer">
								
								Referral Affiliate
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-free-trial"></span>
				<span class="menu-button__text">Free trials</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li>
							<a href="/en_us/business/products/trials.html?tab=cloud" id="e-util-trials-cloud">
								
								Cloud
								
							</a>
						</li>
					
						<li>
							<a href="/en_us/business/products/trials.html?tab=detection-response" id="e-util-trials-detection-response">
								
								Detection and Response
								
							</a>
						</li>
					
						<li>
							<a href="/en_us/business/products/trials.html?tab=user-protection" id="e-util-trials-user-protection">
								
								User Protection
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button desktop-text button-red" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-contact"></span>
				<span class="menu-button__text">Contact Us</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="/en_us/business/get-info-form.html" id="f-util-contact-sales">
								
								Contact Sales
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_us/contact.html" id="f-util-contact-office-locations">
								
								Locations
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/dcx/s/?language=en_US" id="f-util-contact-tech-support">
								
								Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_us/partners/find-a-partner.html" id="f-util-contact-find-partners">
								
								Find a Partner
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_us/about/events.html" id="f-util-contact-events">
								
								Learn of upcoming events
								
							</a>
						</li>
					
						<li class="dropdown-header hidden-context-home ">
							
								
								Social Media Networks
								
							
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.facebook.com/TrendMicro/" id="f-util-contact-facebook">
								
								Facebook
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://twitter.com/trendmicro" id="f-util-contact-twitter">
								
								Twitter
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.linkedin.com/company/trend-micro/" id="f-util-contact-linkedin">
								
								Linkedin
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.youtube.com/user/TrendMicroInc" id="f-util-contact-youtube">
								
								Youtube
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.instagram.com/trendmicro/" id="f-util-contact-instagram">
								
								Instagram
								
							</a>
						</li>
					
						<li class="dropdown-header is-phone-number ">
							
								
								1-888-762-8736 (M-F 8-5 CST)
								
							
						</li>
					
				</ul>
			

			
		</div>
	

	<div class="dropdown utility-dropdown-search hidden-sm hidden-md hidden-lg">
		<button class="menu-button utility-search-button" type="button">
			<span class="menu-button__icon icon-search-thin"></span>
		</button>
	</div>
</nav>

</div>
					</div>
				</div>
			</div>
			<!-- Bottom Bar -->
			<div class="bottom-bar">
				<div class="inner-container">
					<nav class="mainNavMenu"><!--  Inner Container -->
<div class="inner-container">
	<!--  Logo Toggle Col -->
	<div class="logo-toggle-col">
		<div class="newlogo logo"><a href="/en_us/business.html">
	<img class="hidden-xs" src="/content/dam/trendmicro/global/en/core/images/logos/tm-logo-white-red-t.png" alt="Trend Micro Security"/>
	<img class="hidden-sm hidden-md hidden-lg" src="/content/dam/trendmicro/global/en/core/images/logos/tm-logo-white-red-t.png" alt="Trend Micro Security"/>
</a>


</div>
		<div class="toggle">
	<div class="toggle-button active">
		<a href="/en_us/business.html" data-businesscontext="true">
			Business&nbsp;
			<span class="icon-chevron-right hidden-xs"></span>
		</a>
	</div>
	<div class="toggle-button">
		<a data-businesscontext="false">
			&nbsp;
			<span class="icon-chevron-right hidden-xs"></span>
		</a>
	</div>

</div>
		<div class="mobile-right-controls hidden visible-xs visible-sm">
			<a href="#newnavmenu-mobile" class="menu-link toggle-newnavmenu-mobile collapsed" data-toggle="collapse">
				<div class="menu-icon">
					<div class="center-bar"></div>
				</div>
			</a>
			<div class="search-mobile toggle-search-mobile collapsed" data-target="#search-mobile-wrapper" data-toggle="collapse">
				<span class="icon-search"></span>
			</div>
		</div>
	</div>
	<!--  Nav Wrapper -->
	<div class="nav-wrapper collapse to-right dont-collapse-flex-md" id="newnavmenu-mobile">
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Solutions
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-0" aria-haspopup="true" aria-expanded="false">
						Solutions
					</button>
					<div class="dropdown-menu" id="nav-dropdown-0">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-0a42131a-2b6f-446f-ad89-41f2c0f5e984 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-0a42131a-2b6f-446f-ad89-41f2c0f5e984">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-platform" href="/en_us/business/products/one-platform.html">Platform</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-trend-micro-one" href="/en_us/business/products/one-platform.html">
	Trend Micro One
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-soulutions-challenges" href="/en_us/business/solutions/challenges.html">By Challenge</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-understand-prioritize-mitigate-risk" href="/en_us/business/solutions/challenges/cyber-risk.html">
	Understand, Prioritize &amp; Mitigate Risks
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-cloud-native-applications" href="/en_us/business/solutions/challenges/cloud-native-applications.html">
	Secure Cloud-Native Apps
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-hybrid-cloud" href="/en_us/business/solutions/challenges/hybrid-cloud.html">
	Hybrid cloud transformation
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-infrastructure-security" href="/en_us/business/solutions/challenges/infrastructure-security.html">
	Securing your workforce infrastructure
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-network-security" href="/en_us/business/solutions/challenges/network-security.html">
	Eliminate network blindspots
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-xdr" href="/en_us/business/solutions/challenges/detection-response.html">
	See more and respond faster
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-managed-services" href="/en_us/business/solutions/challenges/managed-services.html">
	Threats Agilely to Extending your team resources
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-risk">By Role</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-soulutions-ciso" href="/en_us/business/solutions/role/ciso.html">
	CISO/CIO
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-soulutions-soc" href="/en_us/business/solutions/role/soc.html">
	SOC Manager
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-soulutions-infrastructure-manager" href="/en_us/business/solutions/role/it-infrastructure-operations.html">
	Infrastructure Manager
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-soulutions-cloud-developer" href="/en_us/business/solutions/role/cloud-developer.html">
	Cloud Builder and Developer
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-soulutions-cloud-sec-ops" href="/en_us/business/solutions/role/cloud-operations.html">
	Cloud Security Ops
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-industries">By Industry</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-healthcare" href="/en_us/business/capabilities/solutions-for/healthcare.html">
	Healthcare
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-manufacturing" href="/en_us/business/solutions/iot/ics-ot.html">
	Manufacturing
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-oil-and-gas" href="/en_us/business/solutions/iot/ics-ot.html">
	Oil &amp; Gas
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-electric-utility" href="/en_us/business/solutions/iot/ics-ot.html">
	Electric Utility
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-federal" href="/en_us/business/capabilities/solutions-for/federal-government.html">
	Federal
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-automotive" href="https://vicone.com/en" rel="noopener noreferrer" target="_blank">
	Automotive
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-5g-networks" href="/en_us/business/solutions/iot/enterprise-5g-iot.html">
	5G Networks
	
</a>

</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Products
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-1" aria-haspopup="true" aria-expanded="false">
						Products
					</button>
					<div class="dropdown-menu" id="nav-dropdown-1">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-5dc967d5-6e94-45f2-84ad-9accabde16a3 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-5dc967d5-6e94-45f2-84ad-9accabde16a3">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-cloud-sentry" href="/en_us/business/products/hybrid-cloud.html">Cloud Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-cloud-security-overview" href="/en_us/business/products/hybrid-cloud.html">
	Cloud Security Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-workload-security" href="/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html">
	Workload Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-conformity" href="/en_us/business/products/hybrid-cloud/cloud-one-conformity.html">
	Cloud Security Posture Management
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-container-security" href="/en_us/business/products/hybrid-cloud/cloud-one-container-image-security.html">
	Container Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-file-storage-security" href="/en_us/business/products/hybrid-cloud/cloud-one-file-storage-security.html">
	File Storage Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-endpoint-security" href="/en_us/business/products/user-protection/endpoint-security.html">
	Endpoint Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-network-security" href="/en_us/business/products/hybrid-cloud/cloud-one-network-security.html">
	Network Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-open-source" href="/en_us/business/products/hybrid-cloud/cloud-one-open-source-security-by-snyk.html">
	Open Source Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-cloud-visibility" href="/en_us/business/products/hybrid-cloud/cloud-sentry.html">
	Cloud Visibility
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-network-security" href="/en_us/business/products/network.html">Network Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-network-security-overview" href="/en_us/business/products/network.html">
	Network Security Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-network-intrusion-prevention" href="/en_us/business/products/network/intrusion-prevention.html">
	Network Intrusion Prevention (IPS)
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-breach-detection-system" href="/en_us/business/products/network/advanced-threat-protection.html">
	Breach Detection System (BDS)
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-secure-service-edge" href="/en_us/business/products/network/zero-trust-secure-access.html">
	Secure Service Edge (SSE)
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-ot-ics-security" href="/en_us/business/solutions/iot/ics-ot.html">
	OT &amp; ICS Security
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-endpoint-email-security" href="/en_us/business/products/user-protection.html">Endpoint &amp; Email Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-endpoint-security-overview" href="/en_us/business/products/user-protection.html">
	Endpoint &amp; Email Security Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-endpoint-security" href="/en_us/business/products/user-protection/endpoint-security.html">
	Endpoint Protection
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-email-security" href="/en_us/business/products/user-protection/sps/email-and-collaboration.html">
	Email Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-mobile-security" href="/en_us/business/products/user-protection/sps/mobile-security-enterprise.html">
	Mobile Security
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-security-operations" href="/en_us/business/products/security-operations.html">Security Operations</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-security-operations-overview" href="/en_us/business/products/security-operations.html">
	Security Operations Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-asrm" href="/en_us/business/products/detection-response/attack-surface-management.html">
	Attack Surface Management
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-detection-response-xdr" href="/en_us/business/products/detection-response/xdr.html">
	XDR (Extended Detection &amp; Response)
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-threat-intelligence" href="/en_us/business/products/network/intrusion-prevention/threat-intelligence.html">
	Threat Intelligence
	
</a>

</div>

</div>
	</div>
</div>

</div>
<div class="navCategory section">
<div class="white center-align  columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-all-products" href="/en_us/business/products.html">All Products &amp; Trials</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-our-platform" href="/en_us/business/products/one-platform.html">Our Unified Platform</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-service-packages" href="/en_us/business/services/service-one.html">Service Packages</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-small-business" href="/en_us/small-business/worry-free-services-suites.html">Small &amp; Midsize Business Security</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Services
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-2" aria-haspopup="true" aria-expanded="false">
						Services
					</button>
					<div class="dropdown-menu" id="nav-dropdown-2">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-43c44809-c390-43a7-ae2f-e7e3082565b9 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-43c44809-c390-43a7-ae2f-e7e3082565b9">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-content show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="c-nav-our-services" href="/en_us/business/services/service-one.html">Our Services</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-service-packages" href="/en_us/business/services/service-one.html">
	Service Packages
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-managed-xdr" href="/en_us/business/services/managed-xdr.html">
	Managed XDR
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-support-services" href="/en_us/business/services/support-services.html">
	Support Services
	
</a>

</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Research
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-3" aria-haspopup="true" aria-expanded="false">
						Research
					</button>
					<div class="dropdown-menu" id="nav-dropdown-3">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-86edf5b0-197d-44d7-83ba-35b212acb82d {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-86edf5b0-197d-44d7-83ba-35b212acb82d">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" href="/en_us/about/threat-research.html">Research</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-cac987ad-2127-4725-b858-6927335e84f0">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-news-perspectives" href="/en_us/about/threat-research.html">
	About Our Research
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-news-perspectives" href="/en_us/research.html">
	Research, News and Perspectives
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-analysis" href="https://www.trendmicro.com/vinfo/us/security/research-and-analysis/">
	Research and Analysis
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research" href="/en_us/research.html">
	Blog
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-security-report" href="https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports">
	Security Reports
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-news" href="https://www.trendmicro.com/vinfo/us/security/news/">
	Security News
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-zdi" href="https://www.zerodayinitiative.com/about/" rel="noopener noreferrer" target="_blank">
	Zero Day Initiatives (ZDI)
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Resources</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-ciso-center" href="/en_us/ciso.html">
	CISO Resource Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-devops" href="/en_us/devops.html">
	DevOps Resource Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-cyber-risk" href="/en_us/research/22/k/cyber-risk-index-1h-22-snapshot.html">
	Cyber Risk Index/Assessment
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-encyclopedia" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/">
	Threat Encyclopedia
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-what-is" href="/en_us/what-is.html">
	What Is?
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-glossary" href="https://www.trendmicro.com/vinfo/us/security/definition/a">
	Glossary of Terms
	
</a>

</div>

</div>
	</div>
</div>
<div class="featuredCampaign">
<div class="featured-campaign">
	<!--Media Container-->
	<div class="featured-campaign--media-container">
		<!--Featured Title-->
		<h5 class="featured-campaign--title title-color-red">Explore the Cyber Risk Index (CRI)</h5>

		<!--Feature Image-->
		<figure class="featured-campaign--image-container">
			<a id="b-nav-research-promo-cri-e0ef74-img" href="/en_us/security-intelligence/breaking-news/cyber-risk-index.html">
				<img src="/content/dam/trendmicro/global/en/global/images/navigation/nav-cyber-risk-index.jpg" alt="Explore the Cyber Risk Index (CRI)"/>
			</a>
		</figure>
	</div>
	<!--Text Container-->
	<div class="featured-campaign--text-container">
		<!--RTE-->
		<div class="featured-campaign--rich-text richText">


	<p>Use the CRI to assess your organization’s preparedness against attacks, and get a snapshot of cyber risk across organizations globally.</p>


</div>

		<!--Featured Link-->
		<div class="featured-campaign--link">
			<a id="b-nav-research-promo-cri-e0ef74" href="/en_us/security-intelligence/breaking-news/cyber-risk-index.html">
				Calculate your risk
				<!--Link Icon (Chevron Right)-->
				<span class="icon-chevron-right"></span>
			</a>
		</div>
	</div>
</div>
</div>
</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Partners
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-4" aria-haspopup="true" aria-expanded="false">
						Partners
					</button>
					<div class="dropdown-menu" id="nav-dropdown-4">
						<div class="responsiveColumnControl section">





<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-00d84c48-1488-4f46-af67-4a730cafd674">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-content show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" href="/en_us/partners/channel-partners.html">Channel Partners </a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-7566ecdb-ed61-427f-abe5-35b4f4abfd06">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-overview" href="/en_us/partners/channel-partners.html">
	Channel Partner Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-managed" href="/en_us/partners/channel-partners/managed-service-provider.html">
	Managed Service Provider
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-cloud" href="/en_us/partners/channel-partners/cloud-service-provider.html">
	Cloud Service Provider
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-professional" href="/en_us/partners/channel-partners/professional-services-partner.html">
	Professional Services
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-resellers" href="/en_us/partners/channel-partners/resellers.html">
	Resellers
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-marketplace" href="/en_us/partners/channel-partners/marketplace.html">
	Marketplace
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-system" href="/en_us/partners/channel-partners/systems-integrator.html">
	System Integrators
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" href="/en_us/partners/alliance-partners.html">Alliance Partners</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-overview" href="/en_us/partners/alliance-partners.html">
	Alliance Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-technical" href="/en_us/partners/alliance-partners/technology.html">
	Technology Alliance Partners
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-explore" href="/en_us/partners/alliance-partners/explore-alliance-partners.html">
	Our Alliance Partners
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Partner Tools</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-49a38ac9-c84a-4045-aabf-2d859a64895f">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-login" href="https://community-trendmicro.force.com/Partner" rel="noopener noreferrer" target="_blank">
	Partner Login
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-education" href="/en_us/business/services/support-services/education.html">
	Education and Certification
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partner-tools-stories" href="/en_us/partners/partner-stories.html">
	Partner Successes
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-distributors" href="/en_us/partners/distributors.html">
	Distributors
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-find" href="/en_us/partners/find-a-partner.html">
	Find a Partner
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						About
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-5" aria-haspopup="true" aria-expanded="false">
						About
					</button>
					<div class="dropdown-menu" id="nav-dropdown-5">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-d3727796-6112-4fd9-aeb2-bac489b879ea {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-d3727796-6112-4fd9-aeb2-bac489b879ea">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-why-trend" href="/en_us/about/why-trend-micro.html">Why Trend Micro</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" href="/en_us/about/why-trend-micro.html">
	The Trend Micro Difference
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-customer-successes" href="/en_us/about/customer-stories.html">
	Customer Success Stories
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" href="/en_us/about/human-connections.html">
	The Human Connections
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-industry-accolades" href="/en_us/about/industry-recognition.html">
	Industry Accolades
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-strategic-alliances" href="/en_us/partners/alliance-partners.html">
	Strategic Alliances
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="nav-company" href="/en_us/about.html">Company</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-trust-center" href="/en_us/about/trust-center.html">
	Trust Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-history" href="/en_us/about/history-vision-values.html">
	History
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-diversity-inclusion" href="/en_us/about/diversity-inclusion.html">
	Diversity, Equity &amp; Inclusion
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-corp-social-responsibility" href="/en_us/about/corporate-social-responsibility.html">
	Corporate Social Responsibility
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-leadership" href="/en_us/about/leaders.html">
	Leadership
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="nav-security-experts" href="/en_us/about/leading-experts.html">
	Security Experts
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-internet-safety-cyber-ed" href="/en_us/initiative-education.html">
	Internet Safety and Cybersecurity Education
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-legal" href="/en_us/about/legal.html">
	Legal
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="nav-resources">Resources</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-newsroom" href="https://newsroom.trendmicro.com/" rel="noopener noreferrer" target="_blank">
	Newsroom
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-events" href="/en_us/about/events.html">
	Events
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-investors" href="/en_us/about/investor-relations.html">
	Investors
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-careers" href="/en_us/about/careers.html">
	Careers
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-webinars" href="/en_us/about/webinars.html">
	Webinars
	
</a>

</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
		
		<div class="dropdown search-dropdown">
			<button class="search-button hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="icon-search-thin"></span>
			</button>
			<div class="dropdown-menu utility-search-target">
				<script type="text/javascript" src="//customer.cludo.com/scripts/bundles/search-script.js"></script>
				<script type="text/javascript">
					var CludoSearch;
					var cludo_language = '';

					switch( window.utag_data.language_code )
					{
						// Cludo dropped the ball on this one
						case 'ja_jp':
							cludo_language = 'jp';
							break;
						case 'in_id':
							cludo_language = 'id';
							break;
						default:
							cludo_language = window.utag_data.language_code.substring( 0, 2 ); // First two letters are the language
							break;
					}

					$(document).ready( function() {
						var cludoSettings = {
							customerId: 296,
							engineId: 1798,
							searchUrl: "/en_us/common/cse.html",
							searchInputs: ["cludo-search-form","cludo-search-form-mobile","cludo-search-content-form"],
							initSearchBoxText: "",
							language: cludo_language,
							endlessScroll: {stopAfterPage:3, resultsPerPage:10, bottomOffset: 145},
							translateSearchTemplates: true,
							loading: "<div class='loader'></div>"
						};

						CludoSearch= new Cludo(cludoSettings);

						CludoSearch.translateProvider.translations[cludo_language]["category_header"] = Granite.I18n.get( "Show" );
						CludoSearch.translateProvider.translations[cludo_language]["your_search_on"] = Granite.I18n.get( "Showing results for" ) + " <span class='highlight'>{{value}}</span> ";
						CludoSearch.translateProvider.translations[cludo_language]["total_results"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["total_result"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["in_category"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["results"] = Granite.I18n.get( "results" );
						CludoSearch.translateProvider.translations[cludo_language]["sort_by"] = Granite.I18n.get( "Sort By" ) + ":";
						CludoSearch.translateProvider.translations[cludo_language]["date"] = Granite.I18n.get( "Date" );
						CludoSearch.translateProvider.translations[cludo_language]["relevance"] = Granite.I18n.get( "Relevance" );
						CludoSearch.translateProvider.translations[cludo_language]["all_results"] = Granite.I18n.get( "All results" );

						CludoSearch.init();
					});
				</script>
				<form class="main-menu-search" aria-label="Search Trend Micro">
					<div class="main-menu-search__field-wrapper" id="cludo-search-form">
						<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
							<tbody>
								<tr>
									<td class="gsc-input">
										<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro"/>
									</td>
								</tr>
							</tbody>
						</table>
					</div>
				</form>
				<button type="button" class="close" aria-label="Close"><span aria-hidden="true">&times;</span></button>
			</div>
		</div>
		<div class="utilityMenu utilityMenu-mobile hidden visible-xs visible-sm">
			<nav class="utilityMenu__wrapper" id="utilityMenu-mobile-wrapper"></nav>
			<div class="collapse-items-container"></div>
		</div>
	</div>
	<div class="search-mobile-wrapper collapse dont-collapse-flex-md hidden-md hidden-lg" id="search-mobile-wrapper">
		<form class="main-menu-search" aria-label="Search Trend Micro">
			<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
				<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
					<tbody>
						<tr>
							<td class="gsc-input">
								<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro"/>
							</td>
							<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
								<span class="icon-close"></span>
							</td>
						</tr>
					</tbody>
				</table>
			</div>
		</form>
	</div>
</div>

</nav>
				</div>
			</div>
			<!-- Sticky Nav -->
			<div class="stickyNav">


<div class="page-nav-wrapper">
	<div class="inner-wrapper">
		<!-- Sticky Nav - Article and Author Pages -->
		
    <!-- Page Properties Container -->
    <div class="page-properties-container">
        <div class="back-caret">
            <a href="https://www.trendmicro.com/en_us/research.html">
                <span class="icon-chevron-left"></span>
            </a>
        </div>
        <div class="display-tag">
            
                <a href="https://www.trendmicro.com/en_us/research.html?category=trend-micro-research:threats/apt-and-targeted-attacks">APT &amp; Targeted Attacks</a>
            
        </div>
        <div class="page-title">Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting</div>
    </div>

    <!-- AddThis Container -->
    <div class="addthis_toolbox addthis_default_style">
        <a class="addthis_button_compact addthis_link" href="#">
            <img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/share-more.svg" class="addthis-icon" alt="Share"/>
        </a>
        <a class="addthis_button_print addthis_link" title="Print" href="#" tabindex="1000">
            <img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/printer.svg" class="addthis-icon" alt="Print"/>
        </a>
        <div class="atclear"></div>
    </div>

    <!-- Subscribe Container -->
    <div class="subscribe">
        <a title="Subscribe" href="https://resources.trendmicro.com/subscription-us.html" data-modal-title="Subscribe" target="target">
            <span class="icon-subscribe"></span> <span class="text">Subscribe</span>
        </a>
    </div>

	</div>
</div>
</div>
		</div>
		<section class="folder-indicators slider">
			<div class="folder-indicators__wrapper">
				<p class="folder-indicators__title">Content added to Folio</p>
				<div class="folder-indicators__button-wrapper">
					<button class="folder-indicators__button counter" id="counter-folder">
						Folio (<span>0</span>)
					</button>
					<button class="folder-indicators__button close">close</button>
				</div>
			</div>
		</section>
	</div>
</span></div>
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="articleBodyNoHero aem-GridColumn aem-GridColumn--default--12"><div class="research-layout article container" role="contentinfo">
    <article class="research-layout--wrapper row" data-article-pageID="2108416925">
        <div class="col-xs-12 col-md-12 one-column">
            <div class="col-xs-12 col-md-12">
                <div class="article-details" role="heading">
	<span class="article-details__bar" role="img"></span>
	<p class="article-details__display-tag">APT &amp; Targeted Attacks</p>
	<h1 class="article-details__title">Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting</h1>
	<p class="article-details__description">We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.</p>
	<p class="article-details__author-by">By: Daniel Lunghi
		
			<time class="article-details__date">March 01, 2023</time>
		
		
		<span>Read time:&nbsp;</span><span class="eta"></span> (<span class="words"></span> words)
	</p>

	<div class="article-details__icons">
		<!--Add This-->
		<!-- Go to www.addthis.com/dashboard to customize your tools -->
<div class="addthis_toolbox addthis_default_style">
	<a class="addthis_button_compact addthis_link">
		<img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/share-more.svg" class="addthis-icon" alt="Share"/>
	</a>
	<a class="addthis_button_print addthis_link">
		<img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/printer.svg" class="addthis-icon" alt="Print"/>
	</a>
</div>

		<!--Add to Folio-->
		<div class="add-to-folio tooltip">
			<span class="icon-folio-thin"></span>
			<div class="right">
				<p>Save to Folio</p>
				<i></i>
			</div>
		</div>

		<!--Subscribe-->
		<div class="subscribe">
			<a href="https://resources.trendmicro.com/subscription-us.html" title="Subscribe" data-modal-title="Subscribe" target="target">
				<span class="icon-subscribe"></span> <span class="text">Subscribe</span>
			</a>
		</div>
	</div>
</div>

            </div>
        </div>
		
		<hr class="research-layout-divider"/>

        <main class="main--content col-xs-12 col-md-8 col-md-push-2">
            <div>
	
    


	

</div>
            <div class="richText">
	
    


	
		<div>
			<p>Iron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade. In 2022, we noticed that they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform. </p>
<p>We found the oldest sample of this updated version in July 2022. At the time, we attributed the sample to Iron Tiger but had not yet identified the final payload. It was only after finding multiple similar payloads in late October 2022 that we looked further and found similarities with the SysUpdate malware family that had also been updated in 2021. As with the previous version, Iron Tiger had made the loading logic complex, probably in an attempt to evade security solutions.</p>
<p>This new version has similar features to the 2021 version, except that the C++ run-time type information (RTTI) classes we previously observed in 2021 had been removed, and that the code structure was changed to use the ASIO C++ asynchronous library. Both changes make reverse engineering the samples longer. We strongly advise organizations and users in the targeted industries to reinforce their security measures to defend their systems and stored information from this ongoing campaign.</p>
<p><span class="body-subhead-title">Campaign development timeline</span></p>
<p>These are the key dates for understanding the chronology of Iron Tiger’s operations:</p>
<ul>
<li><span class="rte-red-bullet">Apr. 2, 2022: Registration of the domain name linked to our oldest Windows sample of SysUpdate</span></li>
<li><span class="rte-red-bullet">May 11, 2022: The command and control (C&amp;C) infrastructure was set up.</span></li>
<li><span class="rte-red-bullet">June 8, 2022: While this could have been tampered with, observed compilation date of our oldest Windows sample.</span></li>
<li><span class="rte-red-bullet">July 20, 2022: Oldest Windows sample gets uploaded to Virus Total</span></li>
<li><span class="rte-red-bullet">Oct. 24, 2022: Oldest Linux sample gets uploaded to Virus Total</span></li>
</ul>
<p>We observed that the attacker registered the oldest domain name one month before starting the C&amp;C configuration then waited one more month before compiling the malicious sample linked to that domain name. We think the gap between the two updates allows the attackers to plan their operations accordingly.</p>
<p><span class="body-subhead-title">Loading process</span></p>
<p>We observed the loading process entailing the following steps:</p>
<ul>
<li><span class="rte-red-bullet">The attacker runs rc.exe, a legitimate “Microsoft Resource Compiler” signed file , which is vulnerable to a <a href="https://attack.mitre.org/techniques/T1574/002/">DLL side-loading</a> vulnerability, and loads a file named rc.dll.</span></li>
<li><span class="rte-red-bullet">The malicious rc.dll loads a file named rc.bin in memory.</span></li>
<li><span class="rte-red-bullet">The rc.bin file is a <a href="https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong">Shikata Ga Nai</a> encoded shellcode that decompresses and loads the first stage in memory. Depending on the number of command line parameters, different actions are performed:</span><ul>
<li><span class="rte-circle-bullet">    Zero or two parameters: “Installs” the malware in the system, and calls Stage 1 again via process hollowing with four parameters</span></li>
<li><span class="rte-circle-bullet">    One parameter: Same as previous action but without the “installation”</span></li>
<li><span class="rte-circle-bullet">    Four parameters: Creates a memory section with the DES-encrypted malware configuration and a second Shikata Ga Nai shellcode decompressing and loading Stage 2. It then runs Stage 2 via process hollowing.</span></li>
</ul>
</li>
</ul>
<p>The “installation” step is considered simple wherein the malware moves the files to a hardcoded folder. Depending on the privileges of the process, the malware either creates a registry key or a service that launches the moved executable rc.exe with one parameter. This ensures that the malware will be launched during the next reboot, skipping the installation part.</p>

		</div>
	

</div>
            <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/23/c/iron-tiger-sysupdate-reappears-adds-linux-targeting/figure1-iron-tiger-sysupdate-reappears-adds-linux-targeting.png" alt="fig1-iron-tiger-sysupdate-adds-linux-targeting"/>
		
   		<figcaption>Figure 1. Updated SysUpdate loading process routine</figcaption>
	</figure>

</div>
            <div>




    
    
    <div class="richText">
	
    


	
		<div>
			<p>We saw different legitimate executables being used, sideloading different DLL names, and multiple binary files names being loaded by those DLLs. We identified the executables and sideloaded files as follows:</p>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div class="responsive-table-wrap">
			<table cellpadding="1" cellspacing="0" border="1" width="100%">
<caption>Table 1. SysUpdate’s seemingly legitimate executables and their respective sideloaded files</caption>
<tbody><tr><th scope="col" style="text-align: center;"><b>Legitimate application name</b></th>
<th scope="col" style="text-align: center;">Certificate signer</th>
<th scope="col" style="text-align: center;"><b>Side-loaded DLL name</b></th>
<th scope="col" style="text-align: center;"><b>Loaded binary file name</b></th>
</tr><tr><td>INISafeWebSSO.exe</td>
<td>Initech</td>
<td>inicore_v2.3.30.dll</td>
<td>inicore_v2.3.30.bin</td>
</tr><tr><td>rc.exe</td>
<td>Microsoft</td>
<td>rcdll.dll</td>
<td>rcdll.bin</td>
</tr><tr><td>dlpumgr32.exe</td>
<td>DESlock</td>
<td>DLPPREM32.dll</td>
<td>sv.bin</td>
</tr><tr><td>GDFInstall.exe</td>
<td>UBISOFT ENTERTAINMENT</td>
<td>GameuxInstallHelper.DLL</td>
<td>sysconfig.bin</td>
</tr><tr><td>route-null.exe</td>
<td>Wazuh</td>
<td>libwazuhshared.dll</td>
<td>wazuhext.bin</td>
</tr><tr><td>route-null.exe</td>
<td>Wazuh</td>
<td>libwazuhshared.dll</td>
<td>agent-config.bin</td>
</tr><tr><td>wazuh-agent.exe</td>
<td>Wazuh</td>
<td>libwinpthread-1.dll</td>
<td>wazuhext.bin</td>
</tr></tbody></table>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>We want to highlight that this is the first time we observed a threat actor abusing a sideloading vulnerability in a Wazuh signed executable. Wazuh is a free and open source security platform, and we could confirm that one of the victims was using the legitimate Wazuh platform. It is highly likely that Iron Tiger specifically looked for this vulnerability to appear legitimate in the victim’s environment. We have notified the affected victim of this intrusion but received no feedback.</p>
<p><span class="body-subhead-title">Malware features</span></p>
<p>Looking at the features, several of the functions found in the latest update are similar to the previous SysUpdate version:</p>
<ul>
<li><span class="rte-red-bullet">Service manager (lists, starts, stops, and deletes services)</span></li>
<li><span class="rte-red-bullet">Screenshot grab</span></li>
<li><span class="rte-red-bullet">Process manager (browses and terminates processes)</span></li>
<li><span class="rte-red-bullet">Drive information retrieval</span></li>
<li><span class="rte-red-bullet">File manager (finds, deletes, renames, uploads, downloads a file, and browses a directory)</span></li>
<li><span class="rte-red-bullet">Command execution</span></li>
</ul>
<p>Iron Tiger also added a feature that had not been seen before in this malware family: C&amp;C communication through DNS TXT requests. While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information. </p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/23/c/iron-tiger-sysupdate-reappears-adds-linux-targeting/figure2-iron-tiger-sysupdate-reappears-adds-linux-targeting.png" alt="fig2-iron-tiger-sysupdate-adds-linux-targeting"/>
		
   		<figcaption>Figure 2. C&amp;C communication with DNS TXT records</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>First, the malware retrieves the configured DNS servers by calling the GetNetworkParams API function and parsing the DnsServerList linked list. If this method fails, the malware uses the DNS server operated by Google at IP address 8.8.8.8.</p>
<p>For the first request, the malware generates a random number of 32 bits and appends 0x2191 to it. This results in six bytes — four for the random number, two for 0x2191 — and encodes the result further with Base32 algorithm using the alphabet “abcdefghijklmnopqrstuvwxyz012345”. Looking at Figure 2, the contacted domain name is after &quot;TXT&quot;; only the first four letters change as the rest of the encoded series is always the same. This is because the random number changes every time, but the end is the same “0x2191” result. This explains why the first DNS request always ends with “reeaaaaaa.&lt;c&amp;c domain&gt;”. If the C&amp;C reply matches the format expected by the malware, it launches multiple threads that handle further commands and sends information about the infected machine.</p>
<p>Interestingly, the code related to this DNS C&amp;C communication is only present in samples that use it, meaning that the builder is modular and that there might be samples in the wild with unreported features. We continue monitoring this group and malware family for updates on possible variations of C&amp;C communication protocols being abused.</p>
<p>In all versions, the malware retrieves information on the infected machine and sends it to the C&amp;C encrypted with DES. Collected machine information includes the following:</p>
<ul>
<li><span class="rte-red-bullet">Randomly generated GUID</span></li>
<li><span class="rte-red-bullet">Hostname</span></li>
<li><span class="rte-red-bullet">Domain name</span></li>
<li><span class="rte-red-bullet">Username</span></li>
<li><span class="rte-red-bullet">User privileges</span></li>
<li><span class="rte-red-bullet">Processor architecture</span></li>
<li><span class="rte-red-bullet">Current process ID</span></li>
<li><span class="rte-red-bullet">Operating system version</span></li>
<li><span class="rte-red-bullet">Current file path</span></li>
<li><span class="rte-red-bullet">Local IP address and port used to send the network packet</span></li>
</ul>
<p>The configuration is encrypted with a hardcoded DES key and is a few bytes long following the structure enumerated below:</p>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div class="responsive-table-wrap">
			<table cellpadding="1" cellspacing="0" border="1" width="100%">
<caption>Table 2. Configuration structure</caption>
<tbody><tr><th scope="col" style="text-align: center;">Field content</th>
<th scope="col" style="text-align: center;">Length (in bytes)</th>
<th scope="col" style="text-align: center;">Comment</th>
<th scope="col" style="text-align: center;">Example</th>
</tr><tr><td>Header</td>
<td>4</td>
<td>We only found one value</td>
<td>0x00000001</td>
</tr><tr><td>GUID</td>
<td>38</td>
<td>Follows the <a href="https://learn.microsoft.com/en-us/windows/win32/msi/guid">Microsoft</a> format</td>
<td>{89D0E853-FA08-4f94-A5FE-A90E6869E074}</td>
</tr><tr><td>Size of the C&amp;C section</td>
<td>4</td>
<td> </td>
<td>0x00000018</td>
</tr><tr><td>Size of the next C&amp;C domain name and port</td>
<td>4</td>
<td> </td>
<td>0x00000014</td>
</tr><tr><td>C&amp;C type</td>
<td>1</td>
<td><p>0x01 = regular C&amp;C</p>
<p>0x05 = DNS tunneling</p>
<p>0x00 = regular C&amp;C</p>
</td>
<td>0x01</td>
</tr><tr><td>C&amp;C domain name</td>
<td>Variable</td>
<td> </td>
<td>dev.gitlabs.me</td>
</tr><tr><td>Port number</td>
<td>4</td>
<td> </td>
<td>0x00000050</td>
</tr><tr><td>Size of next section</td>
<td>4</td>
<td>Next section contains all the hardcoded names (folder, files, registry values)</td>
<td>0x00000034</td>
</tr><tr><td>Name of the hardcoded directory where files are copied</td>
<td>Variable</td>
<td>The folder is located either in %</td>
<td>gtdcfp</td>
</tr><tr><td>Name of the executable vulnerable to side loading</td>
<td>Variable</td>
<td> </td>
<td>TextInputHost.exe</td>
</tr><tr><td>Name of the malicious side-loaded DLL</td>
<td>Variable</td>
<td> </td>
<td>rc.dll</td>
</tr><tr><td>Name of the binary file containing the encoded Stage 1</td>
<td>Variable</td>
<td> </td>
<td>rc.bin</td>
</tr><tr><td>Name of the service or registry key value used for persistence</td>
<td>Variable</td>
<td> </td>
<td>gtdcfp</td>
</tr></tbody></table>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>We noted that Stage 2 does not embed the configuration file, which is copied in memory by the previous stage. We only saw one case where there was only one stage being decrypted in memory and the configuration was hardcoded.</p>
<p>Interestingly, all the samples of this “new” version had a domain name as its C&amp;C. In the previous version of SysUpdate, the group used hardcoded IP addresses as C&amp;C. It is possible that this change is a consequence of the new DNS TXT records’ communication feature as it requires a domain name.</p>
<p><span class="body-subhead-title">SysUpdate samples for Linux</span></p>
<p>While investigating SysUpdate’s infrastructure, we found some ELF files linked to some C&amp;C servers. We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform. The ELF samples were also written in C++, made use of the Asio library, shared common network encryption keys, and had many similar features. For example, the file handling functions are almost the same. It is possible that the developer made use of the Asio library because of its portability across multiple platforms.</p>
<p>Some parameters can be passed to the binary (note that “Boolean” refers to Boolean data that is sent to the C&amp;C):</p>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div class="responsive-table-wrap">
			<table cellpadding="1" cellspacing="0" border="1" width="100%">
<caption>Table 3. Parameters passed to the binary as observed from Linux SysUpdate samples</caption>
<tbody><tr><th scope="col">Parameter</th>
<th scope="col">Effect</th>
</tr><tr><td>-launch</td>
<td>Sets persistence, zeroes boolean, and exits</td>
</tr><tr><td>-run</td>
<td>Zeroes boolean and continues</td>
</tr><tr><td>-x</td>
<td>Daemonize the process, zeroes boolean, and continues</td>
</tr><tr><td>-i</td>
<td>Daemonize the process, zeroes boolean, sets persistence, and continues</td>
</tr><tr><td>-f &lt;guid&gt;</td>
<td>Sets the GUID to &lt;guid&gt; and continues</td>
</tr></tbody></table>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The persistence is ensured by copying a script similarly named as the current filename to the <i>/usr/lib/systemd/system/</i> directory, and creating a symlink to this file in the <i>/etc/ystem/system/multi-user.target.wants/</i> directory. Thus, this method only works if the current process has root privileges. The content of the script is:</p>
<p><span class="blockquote">[Unit]<br />
 Description=xxx<br />
 [Service]<br />
 Type=forking<br />
 ExecStart=&lt;path to current file&gt; -x<br />
 ExecStop=/usr/bin/id<br />
 [Install]<br />
 WantedBy=multi-user.target</span></p>
<p>After running the code dependent on the parameters, if the operator has not chosen a GUID with the “-f” parameter, the malware generates a random GUID and writes it to a file similarly named as the current file, with a “d” appended to it. Then, the malware retrieves information on the compromised computer and sends it to the C&amp;C.</p>
<p>The following information is sent to the C&amp;C, encrypted with a hardcoded key and DES CBC algorithm:</p>
<ul>
<li><span class="rte-red-bullet">GUID</span></li>
<li><span class="rte-red-bullet">Host name</span></li>
<li><span class="rte-red-bullet">Username</span></li>
<li><span class="rte-red-bullet">Local IP address and port used to send the request</span></li>
<li><span class="rte-red-bullet">Current PID</span></li>
<li><span class="rte-red-bullet">Kernel version and machine architecture</span></li>
<li><span class="rte-red-bullet">Current file path</span></li>
<li><span class="rte-red-bullet">Boolean (0 if it was launched with exactly one parameter, 1 otherwise)</span></li>
</ul>
<p>For the DNS C&amp;C communication version, the malware retrieves the configured DNS server by reading the content of the <i>/etc/resolv.conf</i> file, or uses the DNS server operated by Google at IP address 8.8.8.8.</p>
<p>In 2022, we already <a href="https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html">noticed</a> that this threat actor was interested in platforms other than Windows, with the <a href="https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html#:~:text=Malware%20analysis-,rshell,-The%20rshell%20executable">rshell</a> malware family running on Linux and Mac OS. For these reasons, we would not be surprised to see SysUpdate samples for the Mac OS platform in the future. Interestingly, most of the Linux samples we found used the new DNS tunneling feature we detailed in Figure 2, while only one of the Windows’ samples used it.</p>
<p><span class="body-subhead-title">Certificate compromise</span></p>
<p>Another interesting part of this campaign is the fact that some of the malicious files are signed with a certificate with the following signer: “Permyakov Ivan Yurievich IP”. Looking for that name in search engines brings results from the official <a href="https://vmpsoft.com/">VMProtect</a> website. The email address linked to the Authenticode certificate also links to that domain name. VMProtect is a commercial software intended to make analysis of code extremely difficult by implementing a custom virtual machine with non-standard architecture. The software has been <a href="https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cyber-attacks/winnti-group-resurfaces-with-portreuse-backdoor-now-engages-in-illicit-cryptocurrency-mining">used</a> <a href="https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf">by</a> <a href="https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html">multiple APT</a> and <a href="https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html">cybercrime groups</a> in the past to obfuscate their malware.</p>
<p>When searching on malware repositories for other files signed by the same certificate, we find multiple files named “VMProtectDemo.exe”, “VMProtect.exe”, or “VMProtect_Con.exe”, which suggests that an official demo version of VMProtect is also signed by this certificate. It appears that the threat actor managed to retrieve the private key allowing him to sign malicious code. As of this writing, the certificate is now revoked.</p>
<p>Using stolen certificates to sign malicious code is a common practice for this threat actor, as we already highlighted in <a href="https://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf">2015</a> and in all our <a href="https://www.trendmicro.com/en_no/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html">recent</a> <a href="https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html">investigations</a>. Interestingly, the threat actor not only signed some of its malicious executables with the stolen certificate, but also used VMProtect to obfuscate one of them.</p>
<p>In late January 2023, a Redline stealer sample (detected by Trend Micro as TrojanSpy.Win32.REDLINE.YXDA1Z, SHA256: e24b29a1df287fe947018c33590a0b443d6967944b281b70fba7ea6556d00109) signed by the same certificate was uploaded. We do not believe that the stealer is linked to Iron Tiger, considering that the network infrastructure is different, and previous reports document the malware’s goals to be centered on committing cybercrime than data theft. This could mean other users managed to extract the same private key from the VMProtect demo version, or it was sold in the underground to different groups, Iron Tiger among them.</p>
<p><span class="body-subhead-title">Infection vector</span></p>
<p>We did not find an infection vector. However, we noticed that one of the executables packed with VMProtect and signed with the stolen certificate was named “youdu_client_211.9.194.exe”. <a href="https://youdu.im/">Youdu</a> is the name of a Chinese instant messaging application aimed for use of enterprise customers. Its website mentions multiple customers in many industries, some of them in critical sectors such as government, energy, healthcare, or banking. But they also have other customers in industries such as gaming, IT, media, construction, and retail, apparently all located inside China.</p>
<p>The properties of the malicious file also match the usual Youdu version numbering. However, the legitimate files are signed with a “Xinda.im” certificate instead of the stolen VMProtect certificate.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/23/c/iron-tiger-sysupdate-reappears-adds-linux-targeting/figure3-iron-tiger-sysupdate-reappears-adds-linux-targeting.jpg" alt="fig3-iron-tiger-sysupdate-adds-linux"/>
		
   		<figcaption>Figure 3. Comparing the properties of the malicious file (left), and properties of the legitimate Youdu installer (right)</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>As seen in the product name identified in the malicious file’s properties, we searched for possible products named “i Talk” but did not find any that could be related to this investigation. However, we found traces of files from the legitimate Youdu chat application signed by Xinda.im being copied to folders named “i Talk” on one victim’s computer. This suggests that some chat application named “i Talk” might be repackaging components from the official Youdu client along with malicious executables. It appears that a chat application was used as a lure to entice the victim into opening the malicious file. This would be consistent with the tactics, techniques, and procedures (TTPs) of two previous Iron Tiger campaigns from 2020 and 2021: a documented <a href="https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/">compromise</a> of a chat application widely used by the Mongolian government, and a supply chain attack on Mimi chat, a <a href="https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html">chat application</a> used in parts of South East Asia.</p>
<p><span class="body-subhead-title">Post-exploitation tools</span></p>
<p>We found a custom Chrome password and cookie grabber that appeared unfamiliar, and it was compiled and uploaded in September 2022. The file was also signed with the VMProtect certificate but it was not obfuscated. In general, the features were simple; the malware decrypts the saved passwords to a file named “passwords.txt”, and the cookies to a file named “cookies.txt”.</p>
<p>Analyzing its details, the malware first parses the “Local State” file to retrieve the AES key used to encrypt the cookies and passwords. It then copies the “Login Data” file to a temporary file “chromedb_tmp”, issues an SQL query to extract the URL, login, and password fields from the file, and then decrypts them and appends the result to the “passwords.txt” file.</p>
<p>It proceeds to copy the “Cookies” file to a temporary file “chromedb_tmp”, extracts multiple fields from it using an SQL query, and then decrypts the content before copying the result to the “cookies.txt” file. Some specific cookies related to Google domain names are ignored, probably because they are mostly related to specific Google features or tracking that are considered useless by the threat actor.</p>
<p>We found two other samples from this stealer: One compilation date indicated an executable built in November 2020, and the other one in December 2021, although those dates could be tampered with. We found those samples were uploaded on November 2021 and August 2022, meaning this stealer existed since at least late 2021.</p>
<p><span class="body-subhead-title">Targeting</span></p>
<p>We identified one gambling company in the Philippines as compromised by this campaign. Interestingly, the threat actor registered a domain name similar to the company name and used it as a C&amp;C. This was not surprising as we have noticed this threat actor targeting this industry since 2019 during our <a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf">Operation DRBControl</a> investigation, and <a href="https://www.trendmicro.com/en_no/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html">later</a> in 2021 with an update of SysUpdate. We also attempted to notify the company of this incident through all their listed channels but have received no feedback.</p>
<p>As stated in the “Infection Vector” section, we noticed the Youdu chat application was probably used as a lure. It is worth mentioning that the customers mentioned in the Youdu official website are all located inside China, which could be an indicator of the threat actor’s interest in targets related to this country.</p>
<p><span class="body-subhead-title">Conclusion</span></p>
<p>This investigation confirms that Iron Tiger regularly updates its tools to add new features and probably to ease their portability to other platforms, verifying the interest we found from this threat actor for Linux or Mac OS. It also corroborates this threat actor’s interest in the gambling industry and the South East Asia region, as we previously noted in <a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf">2020</a> and <a href="https://www.trendmicro.com/en_no/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html">2021</a>.</p>
<p>This campaign also substantiates the regular usage of chat applications as infection vectors from Iron Tiger. We expect to find further updates of these tools in the future to accommodate other platforms and apps.</p>
<p>As an additional warning, we want to highlight that the targeting can be wider than the samples and targeting we have already observed. In 2022, we <a href="https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html">discussed</a> a campaign targeting Taiwan and the Philippines that made use of HyperBro samples (detected by Trend Micro as Backdoor.Win32.HYPERBRO.ENC) signed with a stolen Cheetah certificate. The BfV, a German governmental entity, published a <a href="https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&amp;v=10">report</a> in January 2022 mentioning attacks against German companies with HyperBro samples that were also signed with the same certificate. In October 2022, Intrinsec <a href="https://www.intrinsec.com/apt27-analysis/">reported</a> an incident in a French company also using HyperBro samples matching the structure we described in our 2021 <a href="https://www.trendmicro.com/en_no/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html">investigation</a>. This shows the threat actor is likely to reuse the tools mentioned here in future campaigns that might target different regions or industries in the short and long term. Considering the active campaign and regular developments made on this malware family, organizations are advised to enhance and broaden their current and established security measures, and heighten overall vigilance for possible infection vectors that can be abused by this threat group.</p>
<p><span class="body-subhead-title">Indicators of Compromise (IOCs)</span></p>
<p>Download the full list of indicators <a href="/content/dam/trendmicro/global/en/research/23/c/iron-tiger-sysupdate-reappears-adds-linux-targeting/IOCs-iron-tiger-sysupdate-reappears-adds-linux-targeting.txt">here</a>.</p>

		</div>
	

</div>


</div>
            <section class="tag--list">
	<div class="tag--list-title">Tags</div>
	<div class="tag--list-tags">
		<a href="/en_us/research.html?category=trend-micro-research:threats/malware" class="tag--list-anchor">Malware</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:threats/cyber-crime" class="tag--list-anchor">Cyber Crime</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:threats/exploits-and-vulnerabilities" class="tag--list-anchor">Exploits &amp; Vulnerabilities</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:threats/cyber-threats" class="tag--list-anchor">Cyber Threats</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:threats/apt-and-targeted-attacks" class="tag--list-anchor">APT &amp; Targeted Attacks</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:environments/endpoints" class="tag--list-anchor">Endpoints</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:environments/network" class="tag--list-anchor">Network</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_us/research.html?category=trend-micro-research:medium/article" class="tag--list-anchor">Articles, News, Reports</a>
		
	</div>
</section>

        </main>

        <sidebar class="sidebar--left col-xs-12 col-md-2 col-md-pull-8">
            


<h3 class="article-authors__title">
	
		Authors
	
</h3>

<!-- /* Show Trend Micro if we don't have any authors for this article */ -->


<ul class="article-authors__list">
	<li class="article-authors__list-items">
		
		<div class="article-authors__wrapper" role="contentinfo authors profile">
			
			
				<p class="article-authors__list-items__name">Daniel Lunghi</p>
			
			<p class="article-authors__list-items__position">Threat Researcher</p>
		</div>
	</li>
</ul>

<div class="article-authors__btn-wrapper" role="button">
	<a class="article-authors__button " href="mailto:tm_research@trendmicro.com" target="target" id="article-authors-contact-us-button">
		Contact Us
	</a>
</div>

<div class="article-authors__btn-wrapper subscribe-wrapper" role="button">
	<a class="article-authors__button subscribe " href="https://resources.trendmicro.com/subscription-us.html" data-modal-title="Subscribe" target="target">
		Subscribe
	</a>
</div>
	

    

        </sidebar>

        <sidebar class="sidebar--right col-xs-12 col-md-2">
            <div class="sidebar--wrapper" role="contentinfo sidebar">
                <div class="row-1" role="contentinfo related articles">
                    
	
    


	<div class="related--articles" role="contentinfo related articles">
		<h3 class="related--articles-title">Related Articles</h3>
		 <ul class="related--articles-items">
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_us/research/23/b/research-exposes-azure-serverless-security-blind-spots.html">
					Research Exposes Azure Serverless Security Blind Spots
				</a> 
			</li>
		
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html">
					Emotet Returns, Now Adopts Binary Padding for Evasion
				</a> 
			</li>
		
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_us/research/23/c/s4x23-review-energy-cybersecurity.html">
					S4x23 Review Part 2: Evolving Energy Cybersecurity
				</a> 
			</li>
		</ul>
	</div>

	<div class="archived--link">
		<div class="archived--link-text">
			<a href="/en_us/research.html">
				See all articles
			</a>
		</div>

		<div class="archived--link-icon">
			<a href="/en_us/research.html">
				<span class="icon-chevron-right"></span>
			</a>
		</div>
	</div>


                </div>
            </div>
        </sidebar>
    </article>
</div></div>

    
</div>
</div>
<div class="footer">

<footer class="container-fluid container-fluid--hybrid">
	<div class="footer"><nav class="links-row">
	<div class="inner-container">
		<ul class="links-col">
			<li>
				<a href="/en_us/business/get-info-form.html">
					Contact Sales
				</a>
			</li>
		
			<li>
				<a href="/en_us/contact.html">
					Locations
				</a>
			</li>
		
			<li>
				<a href="/en_us/about/careers.html">
					Careers
				</a>
			</li>
		
			<li>
				<a href="https://trendmicro.com/newsroom" target="_blank" rel="noopener noreferrer">
					Newsroom
				</a>
			</li>
		
			<li>
				<a href="/en_us/about/trust-center.html">
					Trust Center
				</a>
			</li>
		
			<li>
				<a href="/en_us/about/trust-center/privacy.html">
					Privacy
				</a>
			</li>
		
			<li>
				<a href="/en_us/about/legal/accessibility-policy.html">
					Accessibility
				</a>
			</li>
		
			<li>
				<a href="https://success.trendmicro.com/dcx/s/?language=en_US" target="_blank" rel="noopener noreferrer">
					Support
				</a>
			</li>
		
			<li>
				<a href="/en_us/business/sitemap.html">
					Site map
				</a>
			</li>
		</ul>
	</div>
</nav>
<div class="social-copyright-row">
	<div class="inner-container">
		<div class="row">
			<ul class="col-md-6 social-media-links">
				<li>
					<a href="https://www.linkedin.com/company/trend-micro" class="icon-" target="_blank" rel="noopener noreferrer">
						linkedin
					</a>
				</li>
			
				<li>
					<a href="https://twitter.com/trendmicro" class="icon-" target="_blank" rel="noopener noreferrer">
						twitter
					</a>
				</li>
			
				<li>
					<a href="https://www.facebook.com/Trendmicro/" class="icon-" target="_blank" rel="noopener noreferrer">
						facebook
					</a>
				</li>
			
				<li>
					<a href="https://www.youtube.com/user/TrendMicroInc" class="icon-" target="_blank" rel="noopener noreferrer">
						youtube
					</a>
				</li>
			
				<li>
					<a href="https://www.instagram.com/trendmicro/" class="icon-" target="_blank" rel="noopener noreferrer">
						instagram
					</a>
				</li>
			
				<li>
					<a href="https://feeds.feedburner.com/TrendMicroSimplySecurity" class="icon-" target="_blank" rel="noopener noreferrer">
						rss
					</a>
				</li>
			</ul>
			<div class="col-md-6">
				<span class="copyright">Copyright © 2023 Trend Micro Incorporated. All rights reserved.</span>
			</div>
		</div>
	</div>
</div>
</div>
</footer>
</div>


			

<!-- /* Core functionality javascripts, absolute URL to leverage Akamai CDN */ -->
<script src="https://www.trendmicro.com/content/dam/trendmicro/global/core-library/sly.min.js"></script>
<script src="https://www.trendmicro.com/content/dam/trendmicro/global/core-library/jwplayer.js"></script>

<script type="text/javascript" src="https://www.youtube.com/iframe_api"></script>

            
    
    
<script type="text/javascript" src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch.min.js"></script>



    


    

    

    
    

            

            
			<!--For Modal-start-->
			<div class="modal-wrap"></div>
			<div class="jwPlayerString hidden">
				<span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk</span>
			</div>
			<!--For Modal-end-->
        

		<!-- Go to www.addthis.com/dashboard to customize your tools -->
		<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-57bc9d0c3028a052"></script>		
    </body>
</html>
